What Happened in Vegas (That You Actually Want to Know About)

Welcome to this week's edition of the Threat Source newsletter. Last week, I flew 5,000 miles to Las Vegas for Black Hat USA, and what an experience it was! After navigating the casino carpet labyrinth and finding a venue that serves a proper English breakfast tea with milk (lifesaver), I realized that Black Hat feels exactly like trying to run in a dream — you're always heading somewhere, never quickly, and the water costs $8. I don't mean to complain, although as a Brit, I'm practically obligated to file a formal grievance about the weather, tea or queue length. In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.

Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are three standouts from this year's Black Hat USA:

Malvertising Campaign: PS1Bot

Cisco Talos has identified a widespread malvertising campaign distributing a multi-stage malware framework, which we've dubbed "PS1Bot." This campaign uses PowerShell and C# modules to steal sensitive information, log keystrokes, capture screenshots, and maintain persistent access on infected systems. What's particularly concerning about PS1Bot is that it employs in-memory execution and modular updates, targeting browser credentials, cryptocurrency wallets, and more, while minimizing its footprint to evade detection.

PS1Bot has been active and rapidly evolving throughout 2025, with the potential for widespread infection through casual browsing and downloading seemingly safe files. If you use cryptocurrency wallets or save passwords in browsers, be extra cautious when downloading files from search results or ads. Keep your security software updated, and consider using dedicated password managers and security tools instead of storing sensitive info in browsers.

Stay informed about evolving threats like PS1Bot, as attackers are constantly updating their tactics. Talos' blog also provides Snort SIDs and ClamAV detections to help you stay ahead of the threat.

Security Headlines

This week's security headlines include:

  • Russian government hackers said to be behind US federal court filing system hack. The Russian government is allegedly behind the data breach affecting the U.S. court filing system known as PACER, according to The New York Times.
  • North Korean Kimsuky hackers exposed in alleged data breach. The North Korean state-sponsored hacking group known as Kimsuky has reportedly suffered a data breach after two hackers stole the group's data and leaked it publicly online.
  • Exclusive: Brosix and Chatox promised to keep your chats secured. They didn't. A researcher contacted DataBreaches after finding an unsecured backup with 155.3 GB of unique compressed files. The researcher first logged the backup as exposed in late April.
  • Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs. The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country.
  • Russian hackers exploited WinRAR zero-day in attacks on Europe, Canada. A Russian threat group has been observed exploiting a WinRAR zero-day vulnerability as part of a cyberespionage campaign aimed at organizations in Europe and Canada.

Upcoming Events

If you're interested in staying up-to-date with the latest security research and networking opportunities, here are some upcoming events to keep an eye on:

  • BleTeamCon (Sept. 4 – 7) Chicago, IL LABScon (Sept. 17 – 20) Scottsdale, AZ VB2025 (Sept. 24 – 26) Berlin, Germany

Most Prevalent Malware Files from Talos Telemetry

This week's most prevalent malware files from our telemetry include:

  • SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 MD5: 2915b3f8b703eb744fc54c81f4a9c67f VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 Typical Filename: VID001.exe Claimed Product: N/A Detection Name: Win.Worm.Coinminer::1201
  • SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 MD5: 8c69830a50fb85d8a794fa46643493b2 VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 Typical Filename: AAct.exe Claimed Product: N/A Detection Name: PUA.Win.Dropper.Generic::1201
  • SHA 256: 83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08 MD5: 906282640ae3088481d19561c55025e4 VirusTotal: https://www.virustotal.com/gui/file/83748e8d6f6765881f81c36efacad93c20f3296be3ff4a56f48c6aa2dcd3ac08 Typical Filename: AAct_x64.exe Claimed Product: N/A Detection Name: PUA.Win.Tool.Winactivator::1201